Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Could Fake Phishing Emails Help Fight Spam?

Soulskill posted more than 5 years ago | from the hello-sir-madam dept.

Government 296

Glyn Moody writes "Apparently, the US Department of Justice has been sending out hoax emails to test the security awareness of its staff. How about applying a similar strategy to tackling spam among ordinary users? If fake spam messages offering all the usual benefits, and employing all the usual tricks, were sent out by national security agencies around the world, it would select precisely the people who tend to respond to spam. The agencies could then contact them from a suitably important-looking government address, warning about what could have happened. Some might become more cautious as a result, others will not. But again, it is precisely the latter who are more likely to respond to further fake spam messages in the future, allowing the process to be repeated as often as necessary. The system would be cheap to run — spam is very efficient — and could use the latest spam as templates."

cancel ×

296 comments

Sorry! There are no comments related to the filter you selected.

how about fake first posts? (-1, Redundant)

Anonymous Coward | more than 5 years ago | (#26694101)

it could help you eat my asshole.

why yes (-1, Offtopic)

gandhi_2 (1108023) | more than 5 years ago | (#26694103)

frist post fights spam

Seriously? (4, Insightful)

jeffasselin (566598) | more than 5 years ago | (#26694123)

The spam problem will not be solved with laws or pretty tricks like this.

It is a technological problem, and as such will be solved by technological changes: the SMTP protocol is outdated and totally unadapted to the modern uses to which we put it. Let's replace it with something that authentifies sender and receiver properly, and that allows for efficient transmission of binary data.

Re:Seriously? (4, Interesting)

characterZer0 (138196) | more than 5 years ago | (#26694227)

Can you come up with a protocol that will not allow a zombie box to, as you say, authenticate properly?

Re:Seriously? (4, Insightful)

IBBoard (1128019) | more than 5 years ago | (#26694381)

If the zombie box has username/password on a legit account (or whatever the authentication is) then no protocol will help. It might, however, stop email faking and sending from the zombie box itself, which would give a better point of control (because at the moment anyone can send emails that purport to be from Yahoo.com from their own box, if it is set up right, but a protocol that could fail connections claiming to be Yahoo.com emails that don't come from an approved Yahoo.com server would reduce the problem). I don't think anything can solve the "spammer signs up for asdfghjkl.com and starts sending email through that server" spam.

I don't see how this'll help, though.

1) The people who fall for this won't actually learn until they're actually stung, not just an email that says it is from a government agency
2) Chances are they'll probably be more suspicious of the 'Government Agency' email than the "get stuff cheap" email because they're interested in getting stuff cheap, but why would they get an email from the Government
3) Spam is spam is spam
4) Spammers/phishers will piggyback the Government emails, clone them and send out similar emails saying they'd been caught by one of these traps, so go to [insert site]
5) Despite what I said in 1), some of these people will never learn (see the people who get conned out of thousands of £/$/etc)

Re:Seriously? (2)

N1AK (864906) | more than 5 years ago | (#26694647)

You've done a very good job of pointing out the problem with this proposed solution to spam.

The only solutions to spam that will actually work are ones that negatively effect the person whose computer is being used to send it. This leads to massive problems in trying to balance a workable service with the penalties.

Personally I would like to see ISPs begin to implement a system where they block service to anyone sending over a certain number of emails in a given time frame (this solution can be as technically advanced or simple as you like, and could even include the option to have this limit removed or increased if you contact them by say phone and request it). Instead users would only be allowed to view a portal informing them of the reason for the block, and perhaps offering links to a range of anti-virus tools.

ISPs could then block email from other ISPs whose level of spamming was excessive, until they themselves took action to limit it.

Re:Seriously? (2, Funny)

lorenzo.boccaccia (1263310) | more than 5 years ago | (#26694781)

die, you filthy linux kernel mailing list, die!

Re:Seriously? (2, Insightful)

IBBoard (1128019) | more than 5 years ago | (#26694813)

It's probably a good idea overall, but it would get a lot of criticism as either a) people with email sending addictions sent too many emails and got caught or b) people with infected machines probably wouldn't know/care about what to do and would just object to being blocked.

ISPs blocking ISPs is potentially asking for trouble, though. It's like IP blacklisting, but it leaves a lot of innocents getting hit just because the ISP hasn't dealt with some trouble makers to some arbitrary degree to make another ISP happy.

Re:Seriously? (5, Funny)

B3ryllium (571199) | more than 5 years ago | (#26694683)

"Congratulations! By responding to this test email, you've received an IRS coupon for a FREE TAX AUDIT. Enjoy!"

That's one way to teach them. Granted, it's a bit Pavlovian, but ... if it works, it works.

Re:Seriously? (4, Funny)

IBBoard (1128019) | more than 5 years ago | (#26694769)

You mean it'll make people salivate for food at the sound of a bell if they get a tax audit? Now that's some crazy conditioning!

Self identification might help zombies (4, Interesting)

goombah99 (560566) | more than 5 years ago | (#26694629)

The "good" spam is sort of like a public education campaign about STDs. It's part of a well rounded solution in raising public awareness. Your's may not need raising but you will benefit if the awareness of others' is raised so put up with it.

Now then there's the post infection detection problem. We could take a simmilar approach of turning a bad thing to our advantage. Presumably these Zombie bots try to hit a series of predefined URLS to announce their availability. Once some of those are known, when not sieze them and use them to get infected computers to self-identify then notify the owners or if unresponsive their ISPs?

That would not cure all infection. But there is a well known principal in medial virus infection called the R-factor and that is the minimum number of infections needed in a population before the disease becomes self sustaining or growing in infections. We don't have to eliminate all zombies before we reach a point where the infection rate is highly damped.

Re:Self identification might help zombies (3, Funny)

Skrapion (955066) | more than 5 years ago | (#26694901)

The "good" spam is sort of like a public education campaign about STDs.

Ooh, terrible metaphor. By that logic, this "good" spam would be like the government having unprotected sex with people to identify who needs to be educated about proper condom use.

Re:Self identification might help zombies (4, Funny)

oldspewey (1303305) | more than 5 years ago | (#26694945)

Now that's what I call a stimulus package!

Re:Seriously? (1)

squoozer (730327) | more than 5 years ago | (#26694823)

It's not possible to spot a zombie box with a protocol (at least not one that is going to be used for simply sending email) but if the machine has to authenticate with the server before sending then immediately you have and accounting trail. Zombie boxes could be dealt with very quickly and probably in a fairly automated manner. The current black listing system works fairly well but it's rather clumsy and causes a lot of friendly fire (I've been hit several times). While I like the ability to run my own mail server for free I would be willing to cough up (one time) for a certificate for it if it meant a dramatic reduction in spam.

Re:Seriously? (4, Interesting)

oldspewey (1303305) | more than 5 years ago | (#26694301)

There are advantages to thinking of (and addressing) spam as a social problem rather than a technological problem. For starters, treating it as a technological problem leads to an arms race mentality in which spammers are continually driven to "outsmart" technological safeguards as they are developed.

Personally, I have no problem with an approach in which "purchasers" (in other words, anybody who responds to spam in any way) are exposed and educated by any means necessary ... with education consisting of an escalating series of measures until the recipients finally comprehend just how fucking stupid their actions were.

Re:Seriously? (4, Insightful)

caffeinemessiah (918089) | more than 5 years ago | (#26694349)

Let's replace it with something that authentifies sender and receiver properly, and that allows for efficient transmission of binary data.

Sigh...it's so tiring to hear people on /. say things like "it's a technological problem" about spam. Do you know how easy it is to get a personal digital certificate from Thawte? Fill out a few forms, download your PKCS certificate. What's to stop your sooper-dooper anti-spam system if you can authenticate a spammer? Remember, if you can legitimately receive an e-mail message from ME (a stranger to you, presumably), you haven't "solved" spam. If you can't legitimately receive an e-mail message from me, I can't tell you that I'm your long-lost twin brother (i.e. your email system is then useless).

Re:Seriously? (2, Interesting)

Chyeld (713439) | more than 5 years ago | (#26694545)

So your arguement is basicly "The current system sucks, therefore no system will work!"?

Re:Seriously? (1)

Thanshin (1188877) | more than 5 years ago | (#26694415)

the SMTP protocol is outdated and totally unadapted to the modern uses to which we put it. Let's replace it with something that authentifies sender and receiver properly.

That would be nice. All messages could be identified by IP. No wait, it can be spoofed.

Then they can be identified by MAC. Hmm, but which mac to use?

Better by full name and Social security number. Yes, that's it! Let's include all data in each mail so the receiver can identify us.

Or better yet, with a credit card number and its pin.

Humm, no, that seems dangerous.

Let's sign the mails with an asymetric encription scheme. Wait, what? What do you mean it already exists and people have been using it for a decade?

Re:Seriously? (3, Interesting)

moteyalpha (1228680) | more than 5 years ago | (#26694751)

That is definitely a solution and it is just __scary__ what my customers will do. I have considered training them to use encrypted email and there is a learning issue there. They will not learn how to use it as it is irritating to them and consumes their time. They will simply ignore me and hire somebody that will not bother them about security, even though they are exposing information about others.
Private customers are even worse, their computer skill level is so low that it is impossible to communicate the fact that they __personally__ must do something and there is no widget solution.
As far as the government doing this, it just makes matters worse. Soon the spammers will mimic the official documents and as a final step will tell the consumer to install pwn_my_Machine.exe to solve all their problems.

Re:Seriously? (2, Interesting)

bruunb (709544) | more than 5 years ago | (#26694919)

Well either sign/encrypt the message with the receivers key or just make the SMTP protocol fetch the mail from the MX server that is says it comes from, this will make sure that approx. 90% of all spam will never reach you inbox since they need to have a valid MX record for the mail to orriginate from.

To day the SMTP protocol goes like this:

userA@sub1.example.com sends a mail from a spoofing SMTP server at some arbitrary IP address to someuser@sub2.example.com, the sub2 SMTP server receives everything from SMTP server from the IP address, "thinking" it is from SMTP at sub1 and puts it in the inbox of someuser@sub2.example.com.

If it was "reverse"-SMTP then it would be like this:

The spoofing SMTP sever at some IP sends a mail for userA@sub1.example.com to someuser@sub2.example.com.
The SMTP server at sub2 gets the inital handshake from the spoofing SMPT IP server and then, according to the senders email address eg. the "From:" tag, contacts the MX SMTP server for that email address to fetch the actual mail.
Since the SMTP server for sub1 does not have the mail that is being sent by the spoofing SMTP server, the SMTP transaction is dropped and the mail never reaches the inbox of someuser@sub2.example.com.

Simple solution to a major problem. No valid MX record for the spoofed email disables the spammer from sending a spoofed email.

It will make it easier to track down spammers since they need an actual domain with an MX record, but it does not, however, solve the problem with fake domain registrations for MX records or hacked DNS records (I'm thinking demographic information (name, address, contact information etc.) But as I understand then work is in progress to make this better... or perhaps not, might just be a dream I had :-)

Re:Seriously? (4, Insightful)

Elledan (582730) | more than 5 years ago | (#26694439)

How is this a technological problem? How is a user failing to properly read and/or comprehend that the email he or she just received is trying to scam him/her out of money or (personal) information or worse a technological problem? What if a user gets infected by a virus/trojan/worm/rootkit because he had to click on the executable attached to the email received from either a stranger, or from a person who would never send such an email (at least not unannounced)?

Spam is a matter of social engineering, of convincing someone to buy a product, give out information or click on a random executable, even though every rational fibre in that person's body should warn against doing so. Yes, using something more robust than SMTP would help, but it's no cure against stupidity and botnets.

I like this initiative, I just wish it would target those who are already at risk of 'stupid-clicking' instead of those with more than one braincell. It's disappointing that those who do respond to spam emails (twice or so...) don't get taken out of the gene pool either :(

Re:Seriously? (1)

oldspewey (1303305) | more than 5 years ago | (#26694525)

It's disappointing that those who do respond to spam emails (twice or so...) don't get taken out of the gene pool either :(

I'm surprised this has never happened to people buying from pill spammers. Think about it: there are thousands and thousands of people ingesting pills purchased from anonymous untraceable strangers with probable ties to organized crime. I'm amazed Al Quaeda or some similar group hasn't clued in to this one yet.

Re:Seriously? (1)

Kugala (1083127) | more than 5 years ago | (#26694561)

They probably have, but why kill off an income source for no particular reason?

Re:Seriously? (0)

Anonymous Coward | more than 5 years ago | (#26694871)

Death to all americans!

not a tech problem - it's a PEOPLE problem (3, Insightful)

petes_PoV (912422) | more than 5 years ago | (#26694467)

> It is a technological problem,

No.

Spam persists because a tiny (absolutely, infinitesimally small) proportion of the recipients actually respond to it. Whether that's due to stupidity, greed (oooh - I might get something for nothing), boredom, accident or simply curiosity (hmm, I've never replied to SPAM before, I wonder what happens).

The costs of sending it are so low, that it is still worthwhile, providing there's one idiot in a million who takes the bait.

How do you cure this people problem? I don't know. Even if you spend you whole life telling children not to put dirt in their mouths, some still will. You'll never get rid of spam until all the dirt-eaters and spam-responders get a dose of common sense, and that'll never happen.

Re:not a tech problem - it's a PEOPLE problem (1)

Kral_Blbec (1201285) | more than 5 years ago | (#26694565)

Just to be a bit of a devil's advocate, eating dirt in childhood helps develop the immune system and can prevent allergies later in life.

To take this even further OT (3, Funny)

PitaBred (632671) | more than 5 years ago | (#26694635)

And a lot of times children eat dirt because they're mineral deficient [drgreene.com] , not because they're stupid.

Re:not a tech problem - it's a PEOPLE problem (1)

IBBoard (1128019) | more than 5 years ago | (#26694865)

How do you cure this people problem?

Send a hit-squad round to the house of everyone found responding to spam? Nuke the earth from orbit, thereby removing both the spam emails (fry the drives) and the recipients/clickers (fry the people)? I'm sure there are ways ;)

I'm with ya brother (1)

zappepcs (820751) | more than 5 years ago | (#26694469)

The last damn thing I want is to click a link out of curiosity and within five minutes be standing there having to listen to the IT guy say "here's your sign" or end up in the HR office explaining my seeming poor hand-eye coordination because I accidentally clicked on a link in an email from the fscking HR department. Don't these people have enough work to do?

Re:Seriously? (5, Funny)

CompMD (522020) | more than 5 years ago | (#26694547)

The real solution is to simply tell all respondents that they have won an all expense paid vacation. Send them some fake e-ticket to print out and tell them where to go, and then just put them all on a rocket to the sun. Problem solved.

Re:Seriously? (2)

Skrynesaver (994435) | more than 5 years ago | (#26694963)

The "B Ark" solution, I like it.

Re:Seriously? (1)

Davemania (580154) | more than 5 years ago | (#26694551)

It is not just a technological problem. It is both a social and technological problem and technology itself can not address the randomness of human minds (stupidity, over confidence or ignorance etc). Scammers will always find a way around technology and other approaches have to be considered. I don't consider informing the public as a petty trick, this is something that is being used in real life and should be considered as a viable option.

Not Seriously?!? (1)

Geoffrey.landis (926948) | more than 5 years ago | (#26694649)

Ick. What a stupid idea.

The reply rate to spam, if I remember recent numbers recently, is something like one reply in ten million messages sent. To have even a marginal effect on the spam, you'd have to reach at least a million users. So, that means they're proposing that the government send out ten billion spam messages.

Dumb.

Much better is to follow the money trail-- the spammers have to have a way to make money. Follow that trail.

Nah, dumb idea.... (4, Insightful)

King_TJ (85913) | more than 5 years ago | (#26694129)

In my experience, many of the people clueless enough to respond to some spam email are also the ones who wouldn't understand the reply that came back to warn them of their behavior.

(Heck, you wouldn't believe how many people I've had to help out, because a free version of their Windows anti-virus software expired, and they couldn't figure out what to do with the windows popping up to tell them they needed to download the newer version. They thought that stuff meant their anti-virus "broke" because they got a virus!)

Re:Nah, dumb idea.... (1)

lastchance_000 (847415) | more than 5 years ago | (#26694377)

I wonder how long it would take for fake government-anti-spam-warning emails to start showing up?

... the dumb ones are usually the bosses (1)

petes_PoV (912422) | more than 5 years ago | (#26694505)

So what happens when the CEO falls foul of the faux-spam campaign?

My guess is that it'll be pulled faster than the pay-rise of the person who made him/her look an idiot by instigating it, in the first place.

Re:Nah, dumb idea.... (1)

AlexBirch (1137019) | more than 5 years ago | (#26694671)

Perhaps now that Obama has closed Gitmo down for terrorists, we could use that space for people who repeatedly respond to spam.
Or we could just send them to Cuba where they will not do us any harm.

it's already in use... (2)

Kindaian (577374) | more than 5 years ago | (#26694133)

And it's called more exactly honey-pots.

Re:it's already in use... (4, Informative)

ericspinder (146776) | more than 5 years ago | (#26694287)

And it's called more exactly honey-pots.

Actually, honey pots are more about collecting spammer addresses, not identifying their targets.

stupidity tax (2, Funny)

patjhal (1423249) | more than 5 years ago | (#26694155)

And the government spam could bilk the gullible out of money just like real spam. They could lower regular taxes by creating this stupidity tax. Also the DOD could spread viruses on this government spam that take over machines to use in web war. And no need to keep it local, it could be worldwide.

Re:stupidity tax (1)

oldspewey (1303305) | more than 5 years ago | (#26694461)

They could lower regular taxes by creating this stupidity tax.

Where do I sign the petition?

Re:stupidity tax (0)

Anonymous Coward | more than 5 years ago | (#26694685)

They could lower regular taxes by creating this stupidity tax.

We already have one of those, [wikipedia.org] it doesn't work.

Average citizens are already doing this (1)

iYk6 (1425255) | more than 5 years ago | (#26694725)

If this thing worked, than it would already be working. There are plenty of people out there attempting to "teach someone a lesson" by scamming them out of their money. Sometimes the lesson takes, and sometimes it doesn't. The thing is, actually scamming someone out of their money is a stronger lesson than pretending to, and in the millenia that this has been happening, it hasn't significantly lowered the number of gullible people on this planet.

adblock on slashdot (-1, Offtopic)

Lord Ender (156273) | more than 5 years ago | (#26694157)

Well, I wasn't running adblock plus against slashdot until I loaded this story and got the "Barack the magical negro" ad. Sorry, slashdot. You get no more ad views from me.

actually, this works fairly well. (5, Informative)

gandhi_2 (1108023) | more than 5 years ago | (#26694163)

my school district did the same thing, and it works great.

It's the best form of targeted training. Only those who fall for shit like this get a lesson, and follow-up fake scams had a MUCH lower success rate.

Re:actually, this works fairly well. (2, Interesting)

socsoc (1116769) | more than 5 years ago | (#26694419)

Really? Sounds ridiculous to me. It's difficult enough to convince people that your work e-mail is for work related matters... I don't need management asking me to sent out a phish attempt to the staff as a test.

Re:actually, this works fairly well. (1)

uncledrax (112438) | more than 5 years ago | (#26694495)

Pretty sure a local university does that here.. but what they do is if you click through to the site, the SITE itself tells you "Hey Dumbass.. you just got phished.. here's some info and the whys-and-wherefors". (The Site in question would actually be under the admins control and on the LAN)

I agree with most people here that the follow up email idea is bad because I'm probably MORE likely to ignore an email that says it's from the government

Re:actually, this works fairly well. (1)

JCSoRocks (1142053) | more than 5 years ago | (#26694801)

As much as I hate the thought of even more spam coming my way... it makes perfect sense. It'll basically act as a sort of PSA for people that have no idea what they're doing.

oblig (1, Funny)

LunarCrisis (966179) | more than 5 years ago | (#26694841)

Spam is like XML, if it doesn't solve the problem, use more.

Dumbass idea, man (5, Insightful)

Eggplant62 (120514) | more than 5 years ago | (#26694177)

Sending more spam in the name of eliminating spam is not eliminating spam. It's still creating a mess on people's email servers and personal computers, and storage for much of it adds up, especially at the server level. How about we simply improve our educational system and teach marketing majors a bit more about business ethics and ethical advertising?

Re:Dumbass idea, man (1)

utnapistim (931738) | more than 5 years ago | (#26694383)

That's a good argument, but I think you oversimplify.

The intention behind it is to stop spam, and the results of responding to these emails will lead to the responders answer less in the future (at least in theory).

While I agree with the principle that "the same energy that creates a problem cannot be used to solve it", this is not the case here.

For a similar example, there are vaccines that use a dead/weakened virus to trigger an antiviral response from the body (and you could say that sending more viruses to eliminate viruses will not eliminate viruses).

Re:Dumbass idea, man (1)

Eggplant62 (120514) | more than 5 years ago | (#26694409)

Go back to my original response and read the first sentence again: Sending spam to eliminate spam is not eliminating spam.

If that's too overly simple for you, I don't know of any other way to get the point across.

Re:Dumbass idea, man (4, Insightful)

Ajaxamander (646536) | more than 5 years ago | (#26694589)

The point isn't to eliminate spam TODAY, the point is to eliminate spam TOMORROW. If people who don't understand that it's a scam are taught that it is a scam, then there will be fewer of them. What better way to improve spam/scam education than to target it to those who need it most? The fewer suckers^Wtargets there are, spam becomes a lot less viable of a business model.

I find your complaints (and, frankly, suggestions) myopic. You can teach ethics all you want, but the basics of human nature show time and time again that it's not guaranteed to stick.

Re:Dumbass idea, man (2, Insightful)

Mr. Underbridge (666784) | more than 5 years ago | (#26694739)

Go back to my original response and read the first sentence again: Sending spam to eliminate spam is not eliminating spam. If that's too overly simple for you, I don't know of any other way to get the point across.

That's a great sound bite for an audience with an IQ of about 80, but it doesn't hold up to analytical rigor. If you decrease the spam response rate, you make spamming less lucrative, and you have fewer spammers.

That's still pretty simple, even for sound-bite based logic such as you seem to prefer.

Re:Dumbass idea, man (2, Insightful)

gurps_npc (621217) | more than 5 years ago | (#26694477)

This isn't spam. It LOOKS like spam. But just as spam looks like a legitiamte message, but isn't, this looks like spam but isn't. It is a message from your BOSS. What you want to do is to force everyone, even those of us smart enough to ignore spam to take meaningless, boring classes about things we already know. As others said, it is targetted training. It is carefully and SUPERBLY designed so that those that don't need the training are not bothered by it. But those idiots that need it, get the training.

Re:Dumbass idea, man (0, Flamebait)

Eggplant62 (120514) | more than 5 years ago | (#26694523)

Email sent to people without them first consenting to the process is spam, plain and simple. I don't care what it looks like.

SENDING MORE SPAM TO ELIMINATE SPAM IS NOT ELIMINATING SPAM, DUMBASS.

Re:Dumbass idea, man (2, Insightful)

PitaBred (632671) | more than 5 years ago | (#26694699)

Spam is in the eye of the beholder... hell, look at how many marketing emails that people request are subsequently marked as "spam" because they no longer want them, not because they somehow magically turned from "good" to "spam".

Besides, we're talking about companies sending these fake messages to their own employees, a local, controlled list. If it's your own network, it's not spam. It's an approved, system-wide message. Get off your high horse.

Re:Dumbass idea, man (1)

AndrewNeo (979708) | more than 5 years ago | (#26694713)

All spam will be government spam!

Re:Dumbass idea, man (1)

Eggplant62 (120514) | more than 5 years ago | (#26694555)

I should amend this: If that's what you want to do with your own email servers at your own business, have at you. But if your fakeass offers end up in my inbox, the server I receive them from will be treated like every other one that sends spam -- reported to major blocklisting facilities and added to local blocklists.

Re:Dumbass idea, man (3, Insightful)

vagabond_gr (762469) | more than 5 years ago | (#26694493)

I'm really surprised that phishing and viruses are confused with spam, they are very different things:

- viruses/phising: really "dangerous" messages. Opening them might lead to a comprimised bank account, PC, etc. In this case fake viruses/phising emails might help, educating people not to open such emails.

- SPAM: useless but harmless messages that are merely an annoyance to 99.9% of people. The problem is not opening such emails but the mere fact that you receive them. If someone opens spam then he might be actually interested in the advertised products, which is not bad, the problem is only that the same email is sent to thousands of people who are not. Sending fake spam to educate people not to open spam is just stupid. I don't think spam has anything to do with this article, the word has been just incorrectly used.

phishing vs. spam (1)

SirGarlon (845873) | more than 5 years ago | (#26694627)

Since I never open spam, I don't know how many messages connect to sites that really sell the advertised products, and how many only seem to sell as ruse to get people's credit card numbers. I would presume the latter far outnumber the former. Given that the only way to tell phishing from spam according to your definition is to try to buy something, it seems to me you're making the distinction overly fine.

Re:Dumbass idea, man (0)

Anonymous Coward | more than 5 years ago | (#26694637)

Sending more spam in the name of eliminating spam is not eliminating spam

Amen. And it'd waste of our money.

Re:Dumbass idea, man (1)

Ogive17 (691899) | more than 5 years ago | (#26694793)

Why is it a bad idea? The people who wouldn't click on the link embedded in the email won't even bother reading the message. Those that typically fall for phishing attacks are the ones most likely to click on the link.. and maybe they'll learn a lesson.

I think the "solution" is so simple that it might just actually help. Even if it only educates 1% of the click throughs it has still made an impact. What's the best way to stop phishing? Make it not worth the while.

Awful (3, Insightful)

mtrachtenberg (67780) | more than 5 years ago | (#26694193)

This idea is awful for the same reasons that I don't want the local police department entering my home to show me how easy it is to pick my locks.

The idea smells of John Ashcroft appointees.

Been there done that. (5, Interesting)

Lumpy (12016) | more than 5 years ago | (#26694213)

I did that back in 2001 to the sales force at Comcast. we in the IT department formed and sent a email with a exe file payload. when ran it reported back to us who opened it and pooped up a message on their screen that said, "IF I WAS A REAL VIRUS ALL YOUR FILES WOULD BE DELETED"

we sent it from outside the company with a yahoo.com address

85% opened and ran the attachment. we used this as a part of our It education to our users. after the classes that month we repeated it 45 days later.

we had a 90% opening rate this time. you really can not teach the users. Most people who are not IT professionals dont care. If they hose their own computer they dont have to fix it, you do.

The only effective thing would be to actually delete all the users files and never give them back. Humans only really learn from cause and effect. Simulations rarely teach them.

Re:Been there done that. (4, Interesting)

u38cg (607297) | more than 5 years ago | (#26694277)

There was also that university that sent all their students an email to warn them about phishing. Included in the email was a typical phishing text, along with comments on style and grammer. I think the guy that sent it out got something like forty or fifty usernames and passwords back.

Re:Been there done that. (2, Funny)

Hatta (162192) | more than 5 years ago | (#26694375)

The only effective thing would be to actually delete all the users files and never give them back. Humans only really learn from cause and effect. Simulations rarely teach them.

Fire them all after the 2nd time. The survivors would warn the new hires.

Re:Been there done that. (1)

y5 (993724) | more than 5 years ago | (#26694465)

Dwight Schrute? Is that you?

Re:Been there done that. (1)

JCSoRocks (1142053) | more than 5 years ago | (#26694825)

Now there's a man that knows how to consolidate power.

Re:Been there done that. (0)

Anonymous Coward | more than 5 years ago | (#26694395)

Arrange with management to get a reasonable contract change in: Opening these leads to docked pay - enough docked pay to hurt. After the first couple of thousand, they're likely to learn.

Re:Been there done that. (1)

LihTox (754597) | more than 5 years ago | (#26694965)

Or, since docking pay sounds hard to arrange, try public shaming. "The following morons got pwned this week." Put it in the break room at first, threaten to post it in the lobby next time.

Re:Been there done that. (1)

Covert Penguin (1094443) | more than 5 years ago | (#26694517)

Most people who are not IT professionals dont care. If they hose their own computer they dont have to fix it, you do.

+1, Proving that this requires a technical solution, as opposed to some new method of training users.

Your post advocates a.... (5, Funny)

mindstorms (788968) | more than 5 years ago | (#26694247)

Your post advocates a

(x) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(x) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(x) Asshats
(x) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
(x) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(x) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
(x) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

Re:Your post advocates a.... (1)

Lumpy (12016) | more than 5 years ago | (#26694437)

Exactly.

which is why we blocked ALL attachments on emails except for zip files. and as far as I know that limit is still in place.

The users whined for 3 months. then they got over it.

worked great. The only way to get a user to stop doing things is to slap their hands. They refused to be smart opening attachments, so we took away attachments.

Last I knew they were sending out a group policy that disabled script execution in Office as well, I no longer have anyone on the inside since the last 2 rounds of layoffs have gutted their IT hard.

Re:Your post advocates a.... (1)

jeffasselin (566598) | more than 5 years ago | (#26694735)

And then spammers started putting their viruses and malware in zip files.

And then you had to start over again.

Re:Your post advocates a.... (1)

jgtg32a (1173373) | more than 5 years ago | (#26694863)

TAR

Re:Your post advocates a.... (1)

Geoffrey.landis (926948) | more than 5 years ago | (#26694805)

I like your checklist. Lots of really good points there.

I'm just not quite sure that I agree with this one, however:

( ) Sending email should be free

First, philosophically, I'm not sure I agree with any statement that anything "should" be free. What does "should" mean here? I can list ten thousand things that "should" be free, and if I had my choice, food, shelter, medical care, and beer (free, as in beer) all "should" be free. I'd call all of these higher priority than listing which internet services "should" be free.

Second, why should sending email be free? Sending email has a cost. Why "should" the cost be paid by somebody else?

Perhaps (2, Funny)

lord_sarpedon (917201) | more than 5 years ago | (#26694249)

Perhaps they could hire some kind of outside contractor - with an extensive botnet and lots of spam-sending experience - at some ridiculous fee! I'm sure with significant compensation, these professionals could be convinced to spam the DoJ.

In all seriousness, all this will do is make a certain few people very very sad inside when they see just how easy it is to fool the common deskmonkey, and just how much info you can get. At best, some of those certain few people will become motivated to make it their profession...

Re:Perhaps (1)

Hanners1979 (959741) | more than 5 years ago | (#26694433)

Perhaps they could hire some kind of outside contractor - with an extensive botnet and lots of spam-sending experience - at some ridiculous fee!

I hear MediaSentry aren't very busy at the moment...

I do respond to some (1)

camcorder (759720) | more than 5 years ago | (#26694255)

From my garbage Gmail account with swearing and flame. Yes, I do have some free time to waste, as obvious.

So how does that help? (1)

captainpanic (1173915) | more than 5 years ago | (#26694271)

I guess it's better to receive one spam than the other? Like it's better to have political advertisement than laundry detergent advertisement?

Spam = spam
If you start fighting spam with spam, you become part of the problem.

Re:So how does that help? (0)

Anonymous Coward | more than 5 years ago | (#26694503)

I guess it's better to receive one spam than the other? Like it's better to have political advertisement than laundry detergent advertisement?

Spam = spam
If you start fighting spam with spam, you become part of the problem.

PHAIL!!!

The idea is to educate the user what spam is and not to respond and buy stuff. If people stop buying stupid pen0r enlargement kits, spammers would stop sending their "offers".

of course they could (-1, Troll)

timster (32400) | more than 5 years ago | (#26694291)

More info here [google.com]

Two wrongs don't make a right (1)

pinkushun (1467193) | more than 5 years ago | (#26694313)

Even fake spam will circulate and congest the tubes, not? It's like punishing someone for being naive. Rather educate than catch, it goes a lot further.

Phishing side-effect (5, Insightful)

paulthomas (685756) | more than 5 years ago | (#26694315)

Let me get this straight -- we should suggest to people who are highly credulous that there is the possibility that they might receive legitimate email from "suitably important-looking government address"?

That will never cause bigger, more successful phishing scams.

Antivirus virus! (1)

nomorecwrd (1193329) | more than 5 years ago | (#26694463)

Then, how about a government funded antivirus, to be distributed and replicated as a virus? Everybody will then be protected.
It's relatively cheap to do and will save millions in loss due to malicious viruses.
Talking about fighting fire with fire.

Will not solve it but it could help (1)

slackoon (997078) | more than 5 years ago | (#26694509)

I would say that a more harsh approach is needed. I like the idea but I say a 2 or three strikes and your out method would be more effective. In other words, if thery respond to one fake spam ... one strike...another...two strikes and if they respond to a third...SEND THEM PACKING!!

Man, this is messing with my head. (1)

Shackleford Hurtmore (1465057) | more than 5 years ago | (#26694573)

Cool - that could mean that spammers would start writing botnets that would also block government spam from landing on the computer, in case the user gets educated and figures out how to secure their computer. I can imagine a new spam race where the government has to write ever more clever spam to get round the malware's rulebase!

Better security through spam? (1)

Rambo Tribble (1273454) | more than 5 years ago | (#26694659)

Couldn't they do better security through porn? That would be more fun.

Let's see how this escalates... (0)

Anonymous Coward | more than 5 years ago | (#26694663)

1. Government sends out fake spam with links to lure people who fall for phishing
2. Phishing link clickers visit government site, and fill out form
3. Government sends link clicker an email saying "Don't do that"
4. Phishers send out fake government spam with links to lure people who fall for phishing
5. Phishing link clickers visit fake government phishing site and fill out form, now asking for credit card/bank information in order to "better protect you"
6. Phishers happily collect information via another official looking form

Payload should update and clean (1)

patjhal (1423249) | more than 5 years ago | (#26694667)

To really be effective the spam should update any system and antivirus software. If no antivirus software is found then it should install clamwin. After the updates it runs a full virus scan in the background. The more someone falls for it the more their machine gets needed maintenance.

Fake spam is so much different than real spam (1)

noidentity (188756) | more than 5 years ago | (#26694747)

If fake spam messages offering all the usual benefits, and employing all the usual tricks, were sent out by national security agencies around the world, it would select precisely the people who tend to respond to spam. The agencies could then contact them from a suitably important-looking government address, warning about what could have happened. Some might become more cautious as a result, others will not. But again, it is precisely the latter who are more likely to respond to further fake spam messages in the future, allowing the process to be repeated as often as necessary.

Brilliant idea! They could send those out daily, so that the rest of us could receive even more spam. "More spam!" you say, but you're forgetting it'll be FAKE spam. Big difference!

Darwin (1)

Reibisch (1261448) | more than 5 years ago | (#26694759)

Why bother trying to protect those that Darwin should be claiming? Even if we somehow warn them suitably, they'll just be taken in by the next scam.

Let them deal with their own problems.

Infotainment (4, Interesting)

freedumb2000 (966222) | more than 5 years ago | (#26694771)

If anyone really, the media (TV, print ect.) should step in and educate. I bet if Regis did a bit on some common sense ways to spot and avoid spam and phishing, that I am sure would go a long way to educate the average joe/mom about the dangers. Or a 60 minutes on Spam. A bit on MSNBC. I column in a monthly rag. In my experience people are very curious and/or afraid of getting infected or spammed and enjoy any helpful information that they can put to use right away to protect themselfs.

Spear Phishing isn't "just spam" (1)

higapleez (1448139) | more than 5 years ago | (#26694819)

People need practice spotting real, highly crafted spear phishing attacks. These emails are MUCH more specialized then spam. The DOJ isn't the first to use this education technique and they won't be the last. Organizations pay for this training. Just look at www.phishme.com.

Kill kill kill (1)

wytcld (179112) | more than 5 years ago | (#26694849)

How about we use the government resources directly against the spammers?

1. Set up false fronts to buy the products.

2. Trace the transactions.

3. Establish a swift death penalty for whoever receives the funds.

Yes, this would need safeguards - for instance when spammers start threatening to send out spam for products from businesses other than their own, to blackmail those businesses with threat of government response. But for instance when the payment can be traced directly to a Canadian "pharmacy," simply extradite and execute the pharmacists - or jail for life if the extradition treaty doesn't allow for execution.

Who would miss these people? Who would be sorry this had been done?

Fp ni0gga (-1, Troll)

Anonymous Coward | more than 5 years ago | (#26694879)

The Government ain't your daddy. (1, Interesting)

thecoolbean (454867) | more than 5 years ago | (#26694903)

the LAST thing any of us want is for the
bureaucracies to be responsible for what e-mail we receive and what e-mail we do not. If people cannot be trouble to acquire or hire the expertise necessary to reduce spam, then let them eat spam. People have the right to pursue happiness, bear arms, to assemble and to worship. They also have the right to be cold, hungry, homeless sick and dead.

And to have their inboxes stuffed with spam.

Is the right moment? (1)

gmuslera (3436) | more than 5 years ago | (#26694933)

We are at the border of the abyss, but we will take a step forward. Adding spam to the system will do in the short term more harm than good, and in the long term? People that follow the spam links probably have not enough discern to learn the lesson, or even worse, the spam will start coming with a "this time we are serious" warning to take distance from that experiment.

Could be of consideration taking control of domains/URLs very refered by spam, and instead of taking them down (by the hosting ISPs or whatever) redirect them to a central warning "dont follow this or you will be sorry" site, you will not add more spam to the system, and still will warn people that follow the links.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>